Attributes TransientID and uid not released

Nate Klingenstein ndk at internet2.edu
Tue Jul 30 12:28:03 EDT 2013


Gilles,

I think this is normal behavior.  The transientId should not be sent as an attribute, but instead as a NameID in your assertions.  Your log messages are consistent with that occurring.  Is there something that makes you believe the SP is not receiving a transient name identifier in the Subject of the SAML assertion?

See down further in your logs:

11:57:48.653 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.AbstractSAMLProfileHandler:541] - Retaining attribute transientId which may be encoded to via edu.internet2.middleware.shibboleth.common.attribute.encoding.SAML2NameIDEncoder

11:57:48.653 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.AbstractSAMLProfileHandler:566] - Filtering out potential name identifier attributes which do not support one of the following formats: [urn:oasis:names:tc:SAML:2.0:nameid-format:transient]

11:57:48.654 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.saml2.AbstractSAML2ProfileHandler:868] - Using attribute 'transientId' supporting NameID format 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient' to create the NameID for relying party 'https://sp.testshib.org/shibboleth-sp'

Thanks,
Nate.

On Jul 30, 2013, at 15:51 , Gilles Badouet wrote:

> Hi all,
> 
> All my configured attributes are released apart from TransientID and uid. 
> Does the TransientID has anything to do with uid (username)? 
> 
> The debug line seemed to be related to that issue is:
> DEBUG [edu.internet2.middleware.shibboleth.common.attribute.provider.ShibbolethSAML2AttributeAuthority:263] -Attribute transientId was not encoded (filtered by query, or no SAML2AttributeEncoder attached).
> 
> Below is my transiendId attribute in attribute-resolver.xml:
>     <resolver:AttributeDefinition id="transientId" xsi:type="ad:TransientId">
>         <resolver:AttributeEncoder xsi:type="enc:SAML1StringNameIdentifier" nameFormat="urn:mace:shibboleth:1.0:nameIdentifier"/>
>         <resolver:AttributeEncoder xsi:type="enc:SAML2StringNameID" nameFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"/>
>     </resolver:AttributeDefinition>
> 
> And in attribute-filter.xml
> <afp:AttributeFilterPolicy id="releaseTransientIdToAnyone">
>         <afp:PolicyRequirementRule xsi:type="basic:ANY"/>
>         <afp:AttributeRule attributeID="transientId">
>             <afp:PermitValueRule xsi:type="basic:ANY"/>
>         </afp:AttributeRule>
>     </afp:AttributeFilterPolicy>
> 
> 
>  
> 
> 
> 
>  
>  
> Kind regards
>  
>  
> Gilles Rubens Badouet
> 
> --
> To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net




More information about the users mailing list